Bad Rabbit
Bad Rabbit is a ransomware family closely related to NotPetya, but despite using the original code of Petya, the authors used the open-source DiskCryptor utility instead. Bad Rabbit has EternalRomance spreading capabilities, similar to NotPetya (by 27% of it's code). It pretends to be a Adobe Flash update, and it requests Administrator privileges. The main BadRabbit executable is signed with a Symantec certificate, and has Adobe Systems Incorporated as Publisher, with Adobe Flash® Player Installer/Uninstaller 27.0 r0 as Program, as description. Payload If the malware gets wanted privileges, it will adjust it's own privileges (by using the AdjustTokenPrivileges function) and it will check for debugging (by using the IsDebuggerPresent function,also will check for debugging flags on the PEB of the current process). If the malware detects a common user typical environment, it will launch a spreading thread (that will search for vulnerable computers to the EternalBlue exploit, on 445 and 139 LSASS ports. It will then search also for connected computers to bruteforce by SMB means, with a list of hard-coded passwords and users; it will use also calls to CredEnumerateW function, in a manner that will help the virus to spread), and it creates the infpub.dat file in the WINDOWS folder, the BadRabbit main DLL. The rundll32.exe file it's run against the BadRabbit DLL, with the #1 15 string as parameter. WMI will be also used to spread. It also creates the files cscc.dat and dispci.exe. dispci.exe is scheduled by the DLL using chtasks, as SYSTEM privileged task, called rhaegal, and with a -id command passed to it as argument. Is a EXE file that will send precise IOCTL commands to cscc.dat (by using DeviceIoControl function), and that will encrypt the disk. dispci.exe will have Microsoft Display Class Installer as description, http://diskcryptor.com as Legal Copyright and GrayWorm as Product Name. cscc.dat is then launched as SYSTEM-privileged service, by using the function CreateServiceW, as Windows Client Side Caching DDriver; if the function fails, Registry editing will be used instead. It's the disk encryption component of the malware, it's legitimate and part of the utility DiskCryptor, like part of the dispci.exe file. Another two tasks will be created, viserion, that will shutdown the machine (created by dispci.exe), and the task drogon, that will shutdown the machine as well. The viserion task is actually a sequence of tasks (like viserion_0, viserion_1), created for unknown reasons by the malware, that contain istructions that will shutdown the PC, and created after the another in a sequential manner (viserion_0, viserion_1, viserion_2...). The DLL will then run the fsutil command and the wevutil command in a manner that will erase the USN journal of the disk, will clear security and application logs and will clear Setup logs (the cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: command will be run). drogon, viserion and rhaegal are Game Of Thrones references. The file xxxx.tmp will be also created, a Mimikatz module that will be used to steal credentials from the machine and to spread into the network, used as NotPetya uses it's Mimikatz module. dispci.exe will then send some IOCTL commands, that will make DiskCryptor encrypt the hard disk, thus the bootloader willl not be a Petya one, will be a DiskCryptor legitimate but, modified one, that will run the BadRabbit kernel (a Petya modified kernel, with a different message, and different Tor C&C links; also, different encryption master keys). dispci.exe will then restart the system, after a while. The malware, then, will encrypt every file present on every disk connected to the machine, probably AES in CBC mode (128 used), with RSA-2048, making them undecryptable. The file Readme.txt will be present in every encrypted disk and folder, and it will contain the same message that will be displayed on the screen after, in the MBR payload. The malware will skip the Windows folder, the Program Files folder, the Program Data folder and the AppData folder. The key will be randomly generated, using the ADVAPI32.DLL API CryptGenRandom. The following extensions will be encrypted and turned into encrypted files (the .encrypted extension will be added to encrypted files): .3ds, .7z, .accdb, .ai, .asmm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odpm, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .x, .ml, .xvd, .zip There will not be any fake CHKDSK screen, no skull payload (like NotPetya) and a message similar to the NotPetya one will be displayed on the screen. The shutdown command will be used, in the same way as NotPetya uses it, instead of the NtRaiseHardError function. Affected Organizations * Odessa airport (Ukraine) * Kiev Metro (Ukraine) * Interfax (Russia) Category:Ransomware Category:Win32 Category:Win32 ransomware Category:Trojan Category:Win32 trojan Category:Microsoft Windows